Analytics Story: Clop Ransomware

Updated Date: 2026-05-13 ID: 5a6f6849-1a26-4fae-aa05-fa730556eeb6 Author: Rod Soto, Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Clop ransomware, including looking for file writes associated with Clope, encrypting network shares, deleting and resizing shadow volume storage, registry key modification, deleting of security logs, and more.

Why it matters

Clop ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Common Ransomware Extensions	Data Destruction	TTP
Clop Ransomware Known Service Name	Create or Modify System Process	TTP
Deleting Shadow Copies	Inhibit System Recovery	TTP
Suspicious wevtutil Usage	Clear Windows Event Logs	TTP
Common Ransomware Notes	Data Destruction	Hunting
Windows Event Logging Service Has Shutdown	Clear Windows Event Logs	Hunting
Clop Common Exec Parameter	User Execution	TTP
Resize ShadowStorage volume	Inhibit System Recovery	TTP
Windows High File Deletion Frequency	Data Destruction	Anomaly
Windows Service Created with Suspicious Service Name	Service Execution	Anomaly
Windows Service Created with Suspicious Service Path	Service Execution	TTP
Process Deleting Its Process File Path	Indicator Removal	TTP
Windows Eventlog Cleared Via Wevtutil	Clear Windows Event Logs	Anomaly
Ransomware Notes bulk creation	Data Encrypted for Impact	Anomaly
High Process Termination Frequency	Data Encrypted for Impact	Anomaly
Windows Event Log Cleared	Clear Windows Event Logs	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Sysmon EventID 11	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log System 7045	Windows	`XmlWinEventLog`	`XmlWinEventLog:System`
CrowdStrike ProcessRollup2	Other	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Windows Event Log Security 1100	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Sysmon EventID 23	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 26	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 5	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 1102	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Windows Event Log System 104	Windows	`XmlWinEventLog`	`XmlWinEventLog:System`

References

Source: GitHub | Version: 2